From ffb3ffe818c5444c3407ec79565a99db53397a2d Mon Sep 17 00:00:00 2001 From: iahmad Date: Tue, 19 Mar 2013 05:09:52 +0000 Subject: Empty password is not supported by xfreerdp, stop the authentication as soon as encounter an empty password --- src/pam-freerdp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index 8979e6e..ff09ce4 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -120,6 +120,11 @@ get_item (pam_handle_t * pamh, int type) } if (type == PAM_AUTHTOK) { + if (strlen(promptval) == 0){ + free(promptval); + return NULL; + } + if (mlock(promptval, strlen(promptval) + 1) != 0) { free(promptval); return NULL; -- cgit v1.2.3 From 788858a758cb0db992247299c4b430ba603196e2 Mon Sep 17 00:00:00 2001 From: Iftikhar Ahmad Date: Tue, 19 Mar 2013 12:25:39 +0500 Subject: unit test for empty password bug --- tests/mock_pam.c | 42 ++++++++++++++++++++++++++++++++++++++++++ tests/mock_pam.h | 1 + tests/test-freerdp-wrapper.cc | 10 ++++++++++ 3 files changed, 53 insertions(+) diff --git a/tests/mock_pam.c b/tests/mock_pam.c index 6368b84..2a1dcc7 100644 --- a/tests/mock_pam.c +++ b/tests/mock_pam.c @@ -47,7 +47,37 @@ int fake_conv (int num_msg, const struct pam_message **msg, return PAM_SUCCESS; } +int fake_conv_empty_password (int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + struct pam_response *response = NULL; + response = malloc (sizeof (struct pam_response)); + + if (response == NULL) + return PAM_BUF_ERR; + + response->resp_retcode = 0; + + if (strcmp((*msg)->msg, "login:") == 0) + response->resp = strdup ("guest"); /* IMPORTANT: this needs to be in /etc/passwd */ + else if (strcmp((*msg)->msg, "remote login:") == 0) + response->resp = strdup ("ruser"); + else if (strcmp((*msg)->msg, "remote host:") == 0) + response->resp = strdup ("protocol://rhost/dummy"); + else if (strcmp((*msg)->msg, "password:") == 0) + response->resp = strdup (""); + else if (strcmp((*msg)->msg, "domain:") == 0) + response->resp = strdup ("domain"); + else + return PAM_SYMBOL_ERR; /* leaks... */ + + *resp = response; + + return PAM_SUCCESS; +} + struct pam_conv static_conv = { &fake_conv, (void *)NULL }; +struct pam_conv static_conv_empty_pswd = { &fake_conv_empty_password, (void *)NULL }; pam_handle_t *pam_handle_new (void) { @@ -61,6 +91,18 @@ pam_handle_t *pam_handle_new (void) return newh; } +pam_handle_t *pam_handle_empty_pswd_new (void) +{ + pam_handle_t *newh = malloc (sizeof (pam_handle_t)); + + if (newh != NULL) { + newh->conv = &static_conv_empty_pswd; + memset(newh->item, 0, sizeof(void *) * PAM_NUM_ITEMS); + } + + return newh; +} + int pam_get_item (const pam_handle_t *pamh, int type, const void **value) { if (pamh == NULL) diff --git a/tests/mock_pam.h b/tests/mock_pam.h index eb88a2e..c9c4f36 100644 --- a/tests/mock_pam.h +++ b/tests/mock_pam.h @@ -17,6 +17,7 @@ typedef struct pam_handle pam_handle_t; pam_handle_t *pam_handle_new (void); +pam_handle_t *pam_handle_empty_pswd_new (void); int pam_get_item (const pam_handle_t *pamh, int type, const void **value); int pam_set_item (pam_handle_t *pamh, int type, const void *value); diff --git a/tests/test-freerdp-wrapper.cc b/tests/test-freerdp-wrapper.cc index 147682d..6ba670f 100644 --- a/tests/test-freerdp-wrapper.cc +++ b/tests/test-freerdp-wrapper.cc @@ -58,6 +58,16 @@ namespace { // that I got all of the wrapper and pam to link there } + TEST_F(FreerdpclientWrapperTest, canHandleEmptyPassword) { + const char *argv[] = { NULL }; + + pam_handle_t *pamh = pam_handle_empty_pswd_new (); + + EXPECT_EQ (PAM_AUTH_ERR, + pam_sm_authenticate (pamh, 0, 0, argv)); + + } + TEST_F(FreerdpclientWrapperTest, canCallPamOpenSession) { const char *argv[] = { NULL }; -- cgit v1.2.3